﻿using IdentityModel;
using IdentityServer4;
using IdentityServer4.Models;
using IdentityServer4.Test;
using Sso.Models;
using System.Collections.Generic;
using System.Security.Claims;

namespace Sso
{
    public class IdentityServer4Config
    {
        /// <summary>
        /// 添加api资源
        /// </summary>
        public static IEnumerable<ApiScope> ApiScopes =>
           new List<ApiScope>
           {
               new ApiScope("vip","超级用户API（权限范围-ServiceA）"),
               new ApiScope("general","普通用户API（权限范围-ServiceB）"),
               new ApiScope("administrator","客户API（权限范围-ServiceC）")
           };


        public static IEnumerable<ApiResource> ApiResources =>
            new List<ApiResource>()
            {
               new ApiResource("ServiceA","超级用户API（权限范围-ServiceA）")
               {
                  ApiSecrets ={ new Secret("vip-scope".Sha256()) },
                  Scopes = { "vip" }
               },
               new ApiResource("ServiceB","普通用户API（权限范围-ServiceB）")
               {
                  ApiSecrets ={ new Secret("general-scope".Sha256()) },
                  Scopes = { "general" }
               },
               new ApiResource("ServiceC","客户API（权限范围-ServiceC）"){
                  ApiSecrets ={ new Secret("administrator-scope".Sha256()) },
                  Scopes = { "administrator" }
               }
            };


        /// <summary>
        ///  唯一标识符
        /// </summary>
        public static IEnumerable<IdentityResource> IdentityResources =>
          new IdentityResource[]
          {
                  new IdentityResources.OpenId(),
                  new IdentityResources.Profile(),
          };



        /// <summary>
        /// 添加客户端，定义一个可以访问此api的客户端
        /// </summary>
        public static IEnumerable<Client> Clients =>
          new List<Client>
          {
              new Client
              {
                  ClientId = "vip1", // 客户端唯一标识
                  ClientName="vip用户",
                  AllowedGrantTypes = GrantTypes.ClientCredentials, // 客户端模式 进行身份验证
                  AllowedScopes = new [] {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "vip", "general"
                  },
                  ClientSecrets ={ new Secret("client_secret_31huiyi".Sha256()) }
              },
              new Client
              {
                 ClientId = "general1",
                 ClientName="普通用户",
                 AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,  //账号密码进行验证
                 ClientSecrets =
                 {
                     new Secret("client_secret_31huiyi".Sha256())
                 },
                 RedirectUris = { "http://localhost:7000/signin-oidc" }, // 登录成功跳转地址
                 PostLogoutRedirectUris = { "http://localhost:7000/signout-callback-oidc" }, // 支持退出域名地址
                 AllowedScopes = {
                      IdentityServerConstants.StandardScopes.OpenId,
                      IdentityServerConstants.StandardScopes.Profile,
                      "general" },
                 // 允许客户端刷新 token
                 AllowOfflineAccess = true,
                    //直接返回客户端需要的Claims
                 AlwaysIncludeUserClaimsInIdToken = true,
              },
              new Client
              {
                 ClientId = "gateway1",
                 ClientName="网关统一鉴权",
                 AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,  //账号密码进行验证
                 ClientSecrets =
                 {
                     new Secret("client_secret_31huiyi".Sha256())
                 },
                 RedirectUris = { "http://localhost:7000/signin-oidc" }, // 登录成功跳转地址
                 PostLogoutRedirectUris = { "http://localhost:7000/signout-callback-oidc" }, // 支持退出域名地址
                 AllowedScopes = {
                      IdentityServerConstants.StandardScopes.OpenId,
                      IdentityServerConstants.StandardScopes.Profile,
                      "vip","general","administrator" },
                 // 允许客户端刷新 token
                 AllowOfflineAccess = true,
                    //直接返回客户端需要的Claims
                 AlwaysIncludeUserClaimsInIdToken = true,
                 AccessTokenType=AccessTokenType.Jwt,
              },

          };

        public static List<TestUser> TestsUser =>
            new List<TestUser>
            {
                new TestUser()
                {
                    Username="17621825784",
                    Password="123456",
                    SubjectId="1",
                    Claims =
                    {
                        new Claim(JwtClaimTypes.Name, "李永利"),
                        new Claim(JwtClaimTypes.GivenName, "Yongli.li"),
                        new Claim(JwtClaimTypes.FamilyName, "Smith"),
                        new Claim(JwtClaimTypes.Email, "yongli.li@31huiyi.com"),
                        new Claim(JwtClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
                        new Claim(JwtClaimTypes.WebSite, "http://www.31huiyi.com"),
                        new Claim(JwtClaimTypes.Address, "某平路")
                    }
                },
                 new TestUser()
                {
                    Username="getway",
                    Password="123456",
                    SubjectId="2",
                    Claims =
                    {
                        new Claim(JwtClaimTypes.Name, "李永利"),
                        new Claim(JwtClaimTypes.GivenName, "Yongli.li"),
                        new Claim(JwtClaimTypes.FamilyName, "Smith"),
                        new Claim(JwtClaimTypes.Email, "yongli.li@31huiyi.com"),
                        new Claim(JwtClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
                        new Claim(JwtClaimTypes.WebSite, "http://www.31huiyi.com"),
                        new Claim(JwtClaimTypes.Address, "某平路")
                    }
                }
            };
    }
}
